1. ALERT PRIORITIZATION AND STRENGTHENING: TOWARDS AN INDUSTRY STANDARD PRIORITY SCORING SYSTEM FOR IDS ANALYSTS USING OPEN SOURCE TOOLS AND MODELS OF MACHINE LEARNING.
- Author
-
DANGI, BIKRAM, GAMET, JEREMY, KULM, ARICA, NELSON, T. J., O'BRIEN, AUSTIN, and PAULI, WAYNE E.
- Subjects
MACHINE learning ,INTRUSION detection systems (Computer security) ,STATISTICAL bootstrapping ,DECISION trees ,RANDOM forest algorithms ,COMPUTER security - Abstract
Intrusion detection systems (("IDSs ") are generating volumes of alert messages around the clock leaving alert response teams with a daunting task: determining which alerts are worth investigation and which alerts are not. IDS analysts must quickly identify false positives in order to maximize the response time dedicated to concrete threats. We explore the using open dataset bootstrapping for IDS alerts. Our method requires using generically trained machine learning ("ML") models derived from modern trafficjlow data as aguide in initial IDS configuration and deployment followed by suggested periodic private retraining of these models. Our technique also suggests adoption of a baseline metric for analysts: helping rank trafficflow data by likeliness of a threat. We surveyed several datasets including the CSE-CIC-IDS2018 dataset: used, for collecting baseline threat detection accuracy measurements. Some models tested including decision trees and randomforests, yielded less than 2% Type 1 and Type 2 combined error. We have also published selected online samples from our tests as illustrative supplements. Our method strives is simple to implement and uses publicly available IDS and ML tools including various Python frameworks. We intend to give analysts hoping to augment their security workflows with ML, a proven and accessible workflow, and establish a standard for comparison. [ABSTRACT FROM AUTHOR]
- Published
- 2020